Please enable JS

Home / Our news

Deliberation No. 2026-050 of 19 March 2026 approving a reference methodology relating to the processing of personal data carried out in the context of health research requiring the collection of the data subject’s consent for participation in the research (MR-001), and repealing Deliberation No. 2018-153

28 May 2026

CNIL / Official Journal

The French Data Protection Authority (CNIL),

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR);

Having regard to the Civil Code;

Having regard to the Public Health Code;

Having regard to amended Law No. 78-17 of 6 January 1978 relating to information technology, files and civil liberties (“Data Protection Act”);

Having regard to Deliberation No. 2018-153 of 3 May 2018 approving a reference methodology relating to the processing of personal data carried out in the context of health research requiring the consent of the data subject (MR-001) and repealing Deliberation No. 2016-262 of 21 July 2016;

Having regard to Deliberation No. 2026-049 of 19 March 2026 approving the “security” appendix for reference methodologies relating to the processing of personal data carried out in the context of health research (security appendix);

Having regard to Deliberation No. 2026-052 of 19 March 2026 approving the “quality control” appendix for reference methodologies relating to the processing of personal data carried out in the context of health research (quality control appendix);

After hearing the report of Ms. Marie Zins and Mr. Fabien Tarissan, Commissioners, and the observations of Mr. Damien Milic, Government Commissioner,

Makes the following observations:

Certain processing operations involving personal data in the health sector are subject to prior formalities with the CNIL. These formalities generally take the form of a declaration of compliance with a framework approved by the CNIL or, exceptionally, an authorization request when the processing does not meet all the requirements of the applicable framework.

Since the GDPR entered into force, and in order to simplify procedures for stakeholders, the CNIL has adopted thirteen frameworks, including eight reference methodologies dedicated to health research, studies, and evaluations.

In the summer of 2024, the CNIL conducted a public consultation on all frameworks applicable to prior formalities in the health sector. This consultation helped identify stakeholders’ priority needs.

Considering the responses received, the conclusions of which were publicly reported, amendments to MR-001, adopted in 2018, proved necessary to take into account developments in:

  • the legal and regulatory framework;
  • practices in clinical research, particularly their extensive digitalization;
  • threats affecting the security of research information systems;
  • the state of the art in cybersecurity.

A data controller conducting research falling within the scope of MR-001 may implement it through a declaration of compliance, provided that the personal data processing complies with the provisions of MR-001, including the measures set out in the “security” appendix and the “quality control” appendix.

Under these conditions, the CNIL:

  • repeals Deliberation No. 2018-153 of 3 May 2018 approving a reference methodology relating to the processing of personal data carried out in the context of health research requiring the consent of the data subject (MR-001);
  • adopts the reference methodology relating to the processing of personal data carried out in the context of health research requiring the consent of the data subject (MR-001) attached to this deliberation.

This deliberation shall be published in the Official Journal of the French Republic.

The reference methodology enters into force upon publication in the Official Journal of the French Republic, with the exception of measure MR-SEC-12 concerning multi-factor authentication, which shall enter into force on:

  • 1 January 2027 for digital services, information systems, or digital tools used in research and accessible via the internet;
  • 1 January 2028 for all digital services, information systems, or digital tools used in research, whether internet-accessible or not.

Categories

News